When the hackers get hacked 
A blog series unveiling the Conti ransomware family

On 24 February 2022, Russia declared war on Ukraine and started its invasion. Subsequently, many ransomware gangs and other hacking groups started announcing with whom their allegiances lie [1] 

After expressing their explicit support on 25 February 2022 for the Russian government and threatening to „strike back at an enemy’s critical infrastructure“, the group operating the Conti ransomware family has faced severe backlash. Not only from cyber security professionals worldwide but also anti-Russian members within their own organisation [2] [3] [4]. A Ukrainian security researcher [5] under the alias ContiLeaks [6] took up digital arms and started leaking internal chats, source files, screenshots, manuals and other files. 

We will report on these leaks in a series of blog posts to come. Our goal is to understand better how the ransomware gang operates, who is involved and when, what challenges they face, and how are they organised. As we proceed with our research, we will report on interesting, noteworthy and critical findings from the leaks. 

To kick off the blog post series, we describe Conti, present an overview of the typical organisation of ransomware groups internally and present the data that has been leaked so far. 

Who is Conti? 

The Conti ransomware family was first seen in August 2020 and is allegedly operated by the Wizard Spider group [7] [8]. The Wizard Spider group consists of approximately 80 members and is based in and around St Petersburg in Russia. The group has been extorting companies in western countries using ransomware since at least 2017.  

First, the group extorted victims using Hermes ransomware between February 2017 and 2018. Then, the group switched to Ryuk ransomware between 2018 and 2020 [9] [10]. Subsequently, the group switched over to Conti ransomware and has been attacking companies using that ransomware until now.  

In the recent leaks, it is apparent that the group allegedly has received over $2,700,000,000 in BTC between April of 2017 and February 2022 [11]. This money likely originates from ransom payments made by victims of the group. 

How are ransomware gangs organized? 

Northwave created a framework on what roles there are inside a ransomware gang based on key insights from dealing with ransomware incidents. As part of our incident response process, we investigate the root cause of such incidents and talk to the actors behind the ransomware attack. From our experiences, we deducted that there are currently seven distinct roles within a ransomware attack. Each role follows from the objective of the attack’s specific activities. We would see each of these roles fulfilled by the same actor in the past. However, in recent years, we have seen that more and more actors are specialising in a single role within this model. 

As part of a blog series called Inside the world of ransomware, we wrote a more detailed overview of the different roles within a ransomware attack [12]. 

We will investigate if the roles identified by Northwave are also identifiable in the leaked documents and describe how the different actors interact. 

Leaked data 

The first leak took place on 27 February. In the days following, more data has leaked. As it stands, the current number of leaked files is 39. Below we constructed an overview of all the leaked files and a short description of what the leak contains. 

Original file name  Description 
1.tgz  Jabber chat logs 2021-2022 
2.tgz  Jabber chat logs 2020 
Screenshot from 2021-12-15 21-26-28.png  Chat with victims 
Screenshot from 2021-12-06 22-57-52.png  Chat with victims 
bazar_bots_domains_html.7z  Bazar panel 
bazar_bots_comments_html.7z  Bazar panel 
Screenshot from 2021-12-06 22-58-32.png  Chat interface 
Screenshot from 2021-12-15 17-29-58.png  Cobalt Strike interface 
Screenshot from 2021-12-15 17-31-08.png  Cobalt Strike interface 
Screenshot from 2021-12-15 21-26-28.png  Chat with victims 
conti_locker_v2.zip  Encrypted archive with source code 
bazar_bots.7z  Bazar panel 
backdoor.js.zip  .git folder with js and c++ refs 
sendmail-master-0a343a19f4f48dd8efd6c052c092fd5feec916ad.zip  Source code 
backdoor-master-3ad175864899c85021fa04cb24848a2bc66b1d16.zip  Source code 
import-master-ac16d180c391fce7a644f6c2a30fc3cfb37451f6.zip  Source code 
cadmin-master-b2675af7f27c05513f1fd8374ee7bc35a058f18f.zip  Source code 
admin-master-deb4694b0e9110ffcf84a42f70874a6e152c0b32.zip  Source code 
spoked-master-cf530950c30b81188d40c56b9a66e7d3bb21710c.zip  Source code 
storage_ebay_checker-master-599bede833e26b11db10fce55ee08ddd15280a6b.zip  Checks ebay account balance for given username and password 
srw-master-df4b6eddf7fdd2e07fb75d0492deeeb2e15f959e.zip  Laravel application 
storage_go-master-f4617f09d47a978d1128e0e1d77259900d62aac1.zip  go files that parse IPs and store them in a local postgres database  
storage_ex-master-e4827b099abefd719fc674519ea0d2622ea304e0.zip  Source code 
storage-master-3607d1f6a72e28efe84b55e8a660ff97db0e79a2.zip  Source code 
185.25.51.173-20220226.json  Jabber chat log 26-02-2022 
185.25.51.173-20220227.json  Jabber chat log 27-02-2022 
185.25.51.173-20220228.json  Jabber chat log 28-02-2022 
FMvM2_PXsAMdOof.png  Conti storage server 
FMvNB1mWUA4l4ud.png  Screenshot with networking configs 
FMvNWvqWYAEZ298.png  Screenshot with networking/wireshark configs 
rocket-chat.tgz  Rocket chats 2020-2022 
trickconti-forum.7z  Manuals/how-to’s 
3.tgz  Binman/docs repo 
FMwnZodWYAE1vDX.png  Screenshot of jabber chat with privnotes 
trickbot-command-dispatcher-backend.tgz  Erlang source code of application 
trickbot-data-collector-backend.tgz  Erlang source code of application 
FMw3KrXXEAUXAQJ.png  Sergei Loguntsov (https://github.com/loguntsov) aka. begemot 
conti_locker.7z  Conti source without locker src. 
jabber_logs.7z  Jabber chat logs 1st and 2nd of March 2022 

 

We will add any additional leaks to this list. The list was updated last on 2-3-2022 at 22:00 UTC. 

So far, the leaks seem only to contain internal communication of the Conti group. Northwave did not identify any data of her clients yet in the leaks. Of course, Northwave will closely monitor this and update any of her clients if their data becomes apparent in the leaks.